HTTPS Everywhere
There is a new HTTPS Everywhere beta release, 0.9.2! (install)(what changed?)
HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites.
Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site.
The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS. Firefox users can get it by clicking here:
The plugin currently works for:
- Google Search
- Wikipedia
- bit.ly
- GMX
- Wordpress.com blogs
- The New York Times
- The Washington Post
- Paypal
- EFF
- Tor
- Ixquick
(and many other sites)
Sadly, many sites still include a lot of content from third party domains that is not available over HTTPS. As always, if the browser's lock icon is broken or carries an exclamation mark, you may remain vulnerable to some adversaries that use active attacks or traffic analysis. However, the effort that would be required to eavesdrop on your browsing should still be usefully increased.
HTTPS Everywhere can protect you only when you're using sites that support HTTPS and for which HTTPS Everywhere includes rules. If sites you use don't support HTTPS, ask the site operators to add it; only the site operator is able to enable HTTPS support on a the site. There is more information and helpful instruction in the EFF article How to Deploy HTTPS Correctly.
If HTTPS Everywhere doesn't include rules for a site you use, you can ask us or learn how to create them.
Answers to common questions may be on the frequently asked questions page.
The 0.9.x release
The 0.9.0 release of HTTPS Everywhere is a new beta version designed to offer improved protection against Firesheep. Most notably, it can provide much better protection for Facebook, Twitter and Hotmail accounts, as well as completely new protection for bit.ly, Dropbox, Amazon AWS, Evernote, Cisco and Github. Unfortunately, in order to obtain maximum Firesheep protection, especially on Facebook, you must take two extra steps:
- Turn on the "Facebook+" rule. You can do that in the Tools->Add Ons->HTTPS Everywhere->Preferences menu. It isn't on by default, because it can cause Facebook Apps to raise errors. We're still waiting for Facebook to fix this, and the chat problem :(.
- Install the Adblock Plus Firefox extension too, and use it to block the insecure http:// adds and trackers that Facebook (and other sites) sometimes include.
Further information on what else has changed since 0.2.2 can be found in the Changelog.
Development And Writing your own Rulesets
You can help us test forthcoming rulesets and features by installing the development branch of the extension.
Send feedback on this project to the https-everywhere AT eff.org mailing list. You can also subscribe.
HTTPS Everywhere uses small ruleset files to define which domains are redirected to https, and how. If you'd like to write your own ruleset, you can find out how to do that here.
Information about how to access the project's Git repository and get involved in development is here.
Related Projects
Our code is partially based on the STS implementation from the groundbreaking NoScript project (there are other STS implementations out there, too).
HTTPS Everywhere aims to have a simpler user experience than NoScript, and to support complex rewriting rules that allow services like Google Search and Wikipedia to be redirected to HTTPS without breaking anything. It also handles situations like https:// pages that redirect back to http:// in a reasonable manner.
In an ideal world, every web request could be defaulted to HTTPS. Unfortunately, there's no way to know that what you get from requesting https://www.domain.com/page is the same as what you get from requesting http://www.domain.com/page. So the only way to switch every page to https is to fetch the page insecurely first. There is a Chrome extension called KB SSL Enforcer which attempts to take that approach, but it does not appear to be implemented securely; when we tested it, it seemed to always use http before https, which means that your surfing habits and authentication cookies are not protected (this may be a limitation of the Chrome Extensions framework).
License
HTTPS Everywhere is licensed under the GNU General Public License, version 2 or later. To get the source code, see the development page.
| Attachment | Size |
|---|---|
| https-everywhere-0.2.2.xpi | 47.79 KB |
| https-everywhere-0.3.0.development.1.xpi | 54.76 KB |
| https-everywhere-0.9.2.xpi | 55.82 KB |
| https-everywhere-0.9.9.development.1.xpi | 153.05 KB |
| Changelog.txt | 4.73 KB |
Related Issues: Privacy
Want to learn how you can defend free speech, stand up for privacy, fight for government transparency, support consumer rights, and protect your right to innovation in the digital world? Visit http://eff.org/fight to find ways to help.
